Did you know that the Family Educational Rights and Privacy Act (FERPA), a student privacy law that has been around for nearly 50 years, was influenced by the rise of computers?
Did you know that FERPA restricts educational apps from using student’s personally identifiable information for anything other than the educational purpose approved by the school?
Did you know that, contrary to popular belief, FERPA is continuously and actively enforced by the U.S. Department of Education?
Despite its continued applicability and relevance in today’s data-driven education landscape, FERPA is often criticized as outdated and insufficient. But the prevalence of inaccurate statements about FERPA does not mean that critiques are unwarranted: FERPA is hard to read, even harder to comply with, and long overdue for major updates. In this series of publications on Fixing FERPA, we delve into the actual problems with FERPA and propose potential solutions for updating and strengthening its provisions, all while ensuring the essential functions of schools remain intact.
Distinguishing Perception from Reality
It is crucial to differentiate between actual issues and perceived gaps in the law. For example, many federal and state bills were introduced in the past decade to ban the sale of student data, despite the fact that FERPA already prohibits such practices. By clearly understanding the existing protections and identifying genuine gaps in FERPA, we can make informed recommendations for updating and creating new laws to better protect student data.
We fail more often because we solve the wrong problem than because we get the wrong solution to the right problem.
- Russell L. Ackoff, pioneering systems thinker and organization scholar
Starting the Conversation
This series is in no way a definitive or comprehensive guide to remedying all of FERPA’s ills. There is no one size fits all solution, and we do not intend for this series to be viewed as the only approach to modernizing FERPA. Fixing FERPA is meant simply to identify some of FERPA’s biggest problems and propose some theories on potential ways to solve them.
As Woody Hertzog noted in the preface of his book, Privacy’s Blueprint, “Theories are meant to evolve; they are meant to interact with other theories, to be criticized, reinterpreted, and, with any luck, eventually contribute to a momentum that improves our world.” By examining the challenges faced by FERPA and proposing potential solutions, this series intends to spark meaningful dialogue and prompt further exploration of improving student privacy protections. Fixing FERPA is just the beginning, paving the way for ongoing discussions and collaborations that will shape a more secure educational environment.
Our Recommendations
FERPA 101
It is interesting to think that a law enacted in 1974—pre-smartphone, mobile app, and modern computer—still governs the vast technological landscape and data collection practices of modern education. In the age of online learning and student one-to-one devices, the Family Educational Rights and Privacy Act of 1974 (FERPA) remains the primary federal law protecting student privacy. FERPA analysis has grown increasingly complex over the years as rules and guidance were added to account for emerging technologies–as highlighted during the COVID-19 pandemic when the education community struggled to apply FERPA in light of schools’ increasing reliance on educational technology. It can be a struggle to fit schools’ modern technology adoption and use within FERPA’s outdated framework, making it difficult to know which data and practices are subject to the law, let alone what the legal obligations are for educational agencies and institutions.
These FAQs serve as a primer for the Fixing FERPA series, providing key background information, historical context, and an overview of various provisions in the law.
FERPA is a federal privacy law that protects the privacy of students’ personally identifiable information (PII) in education records. FERPA primarily does two things: ensures appropriate access and limits unauthorized disclosure. Access is embodied through FERPA’s guarantee that parents and eligible students–students 18+ or attending higher education institutions–have the right to access their education records and to challenge the information in them as inaccurate or no longer relevant. FERPA prohibits all other disclosures of PII in education records unless there is consent or an applicable exception to FERPA’s consent requirement and certain safeguards are in place.
When Congress enacted FERPA in 1974, there were growing concerns about the kinds of private, personal information that public entities–such as schools–had access to and control over, the broader community’s limited awareness of and input in these data practices, and the potential for inaccurate records to limit people’s future opportunities. FERPA was intended to address the power imbalance between schools, parents, and students by codifying certain rights regarding access to and sharing of PII in student records.
All educational agencies and institutions that receive federal funding must follow FERPA. This means that public schools–whether elementary, secondary, or postsecondary–as well as many private schools–such as private postsecondary institutions that receive federal financial aid on behalf of their students–have to abide by FERPA.
FERPA protects PII in education records.
In general, PII is any information about a student that can reasonably be linked back to them. Under FERPA, PII includes both direct identifiers (such as first and last name) and indirect identifiers (such as grade level or year of birth). Vague descriptions like “the freshman student in yearbook club” can constitute PII under FERPA in the right circumstances, such as when there is only one freshman in the yearbook club. The test for when information is PII under FERPA is if it would allow a reasonable person in the school community to identify a specific student with reasonable certainty. Essentially, if the information can be linked back to an individual fairly easily, it falls under FERPA’s PII definition.
To be protected by FERPA, the PII must be located in education records. “Education records” are records that are: 1) directly related to a student; and 2) maintained by an educational agency or institution, or by a party acting for the agency or institution (34 CFR 99.3(a)). This includes a wide variety of formats, regardless of whether information is physically kept in the school filing cabinet or virtually stored in the cloud.
Want to see the full chart on another page? Click here.
EAI = Educational Agency or Institution
IEP = Individualized Education Program
LEA = Local Educational Agency
PII = Personally Identifiable Information
SEA = State Educational Agency
SIS = Student Information System
| De-Identified Records and Information (34 CFR 99.31(b)) | EAIs may release records or information after removal of all PII, provided that the EAI or another party has made a reasonable determination that a student cannot be reidentified. | A school could redact student names before releasing a list of student test scores with each student’s grade (and no other information) listed so long as enough grades are included to make particular students’ grades not reasonably re-identifiable. |
| Personal Notes (34 CFR 99.3 “Education records”) | Records an individual keeps as a personal memory aid that are not shared with any other person, except for a temporary substitute. | A math teacher’s personal notes on which students they anticipate needing the most help on tomorrow’s long division lesson, to be shared only with tomorrow’s substitute math teacher. |
| Information Obtained Through Personal Knowledge or Observation (Guidance) | Information about a student that was obtained through school personnel’s personal knowledge or observation, unless that knowledge is obtained through their official role in making a determination maintained in an education record about the student. | What a teacher heard students discussing in the hallway or whether they thought that a student appeared to be upset. |
| Law enforcement unit records (34 CFR 99.3 “Education records” and 34 CFR 99.8) | An EAI’s law enforcement unit records that are created by a law enforcement unit for a law enforcement purpose and maintained by the law enforcement unit. These records can become education records if they are shared for a non-law enforcement purpose (such as the school disciplining a student) or are maintained exclusively for a non-law enforcement purpose. | School camera footage showing a student spray-painting classroom doors, so long as the cameras are used exclusively for security purposes and maintained by the school resource officer (SRO). If, however, the SRO discloses the footage to the school principal for the purpose of disciplining the student, that footage would become protected by FERPA. |
| Student employee records (34 CFR 99.3 “Education records”) | Records relating to a student who is employed by an educational agency or institution that are made and maintained in the normal course of business, relate exclusively to the individual in their capacity as an employee, and are not available for use for any other purpose. However, records relating to a student in attendance at the EAI who is employed as a result of his or her status as a student are subject to FERPA. | How a student is performing at their part-time job in the alumni relations office, so long as the student was hired independently by that office (for example, not hired through a work-study program). |
| Medical Records of Higher Ed Students (34 CFR 99.3 “Education records”) | Physician, psychiatrist, psychologist, or other professional or paraprofessional’s records about the treatment of a student who is 18+ or attending an institution of postsecondary education that are made, maintained, or used only in connection with their professional treatment of the student and only disclosed to individuals providing treatment. | The appointment notes of a psychiatrist at a college detailing sessions with a student at the college. |
| Denied Applicant Records (34 CFR 99.3 “Student”) | The information an EAI has about applicants that are not admitted, or about accepted applicants who choose not to enroll in that EAI. | The information a school used when deciding to deny admittance to an applicant. |
| Alumni Records (34 CFR 99.3 “Education records”) | Records created or received by an EAI after an individual is no longer a student in attendance and that are not directly related to the individual's attendance as a student. | An alumni relations office’s collection and sharing of survey responses from alumni about their post-graduation careers. |
| Peer-Grading Grades (34 CFR 99.3 “Education records”) | Grades on peer-graded papers before they are collected and recorded by a teacher. | Peer graded assignments before the teacher logs the grades in their gradebook. |
| PII of Deceased Eligible Students (Guidance) | FERPA rights of eligible students expire upon the death of the student. However, non-eligible students’ rights are held by parents of students until the student turns 18 or enters postsecondary education, so those rights do not lapse until both the non-eligible student and their parents are deceased. | The disciplinary record of a 22 year old student who passed away. |
FERPA gives privacy rights to the parents or guardians of students who are under the age of 18 and enrolled in K-12 education. These rights transfer to the students themselves when they reach the age of 18 or are attending a postsecondary institution.
Rights conveyed by FERPA include the rights to:
- Annual notification of the school’s FERPA policy;
- Access the student's PII in educational records;
- Seek to amend and/or correct the student's PII in educational records;
- Confidentiality of the student’s PII in educational records; and
- File a complaint with the U.S. Department of Education for an alleged FERPA violation.
FERPA also gives the right to consent before student PII in education records is disclosed. However, there are many exceptions to this right, and the vast majority of FERPA-protected information is disclosed through a FERPA exception.
Under FERPA, schools can share PII in education records with third parties when parents or eligible students provide written consent. To constitute valid consent under FERPA, written consent must:
- Be signed and dated;
- Specify what records can be disclosed;
- State the purpose for disclosure; and
- Identify to whom the disclosure may be made.
Without such consent, schools can only share PII from education records with third parties if an exception to FERPA’s consent requirement applies and the necessary safeguards are in place.
While obtaining parental consent seems easy enough in theory, the practical hurdles to getting parental consent can complicate this process exponentially for schools. Sometimes it may be parents’ busy schedules or a potential language barrier hindering their ability to provide consent. Other times, the form may accidentally be lost or misplaced or parents may be skeptical of consenting to data sharing when the reason for sharing is not obvious. Check out our recent blog to find out more.
It would likely be impossible for schools to operate if student PII could only be disclosed with consent because there are many times that obtaining parental consent may not be feasible in the education context. For example:
Student Grades
- When a student transfers to a new school, their grades have to go with them regardless of whether parental consent is obtained.
Student Medical Information
- Requiring parental consent for sharing student medical information may result in students not receiving necessary care in medical emergencies.
Foreign Language App
- Requiring parental consent to use a translation app with students may result in teachers not being able to communicate with students who are English language learners.
Approved Apps
- Requiring parental consent to use educational technologies that have already been thoroughly vetted for privacy, security, and legal compliance by the school district may prevent students from using educational technology to support or enhance their learning.
Transportation Services
- Requiring parental consent to share student addresses with transportation services may result in some students not having access to reliable transportation to and from school.
Free Lunch Data
- Requiring parental consent to share student eligibility to participate in the National School Lunch Program with school and district staff that facilitate the program may result in eligible students not receiving this service and going hungry.
FERPA accounts for situations like these by enumerating several exceptions to its consent requirement.
Some advocates have argued that FERPA’s exceptions undercut the law’s protections by allowing for indiscriminate sharing of student data without consent, but this perception is often inaccurate. FERPA requires additional safeguards to be employed when an exception to its consent requirement is used to disclose student PII to third parties. While each exception is different, they typically mandate that information shared under an exception:
- Can only be used for a specific educational purpose;
- Can only be shared with the people who need it, and then those people cannot reshare it; and
- Must be under the direct control of the school– meaning that school staff must be able to access, delete, and share the information, and the person receiving the data cannot act without permission from the school. Often, this control is provided through a contract.
To learn about all of FERPA’s exceptions and data that is exempt from FERPA, see the charts below.
Want to see the full chart on another page? Click here.
EAI = Educational Agency or Institution
IEP = Individualized Education Program
LEA = Local Educational Agency
PII = Personally Identifiable Information
SEA = State Educational Agency
SIS = Student Information System
| School Official (34 CFR 99.31(a)(1) and 34 CFR 99.33(a)) | EAIs may disclose student PII to a school official if that school official has a legitimate educational interest in the student PII. Third parties to whom the EAI has outsourced institutional services or functions may be considered a school official if they are performing a function the EAI would otherwise perform themselves, only use the data for the reason it was shared with them, and are under the EAI’s direct control in regards to the use and maintenance of the data. |
A teacher could talk to an administrator or another educator about how to help a particular student. A school could store student data in a third-party vendor’s SIS with a contract in place that specifies the student data can only be used to maintain the SIS and that the vendor is under the school’s direct control. |
| Student Transfer or Enrollment (34 CFR 99.31(a)(2) and 34 CFR 99.34) | EAIs can share student PII with other EAIs when a student is transferring or enrolling (or intending to enroll) at a new EAI, so long as the disclosure is only for purposes related to the student’s enrollment or transfer. The EAI must usually make a reasonable attempt to notify the parent or eligible student of the sharing. | A school can send a student’s transcript without consent to a postsecondary institution that the student has applied to. |
| Audit and Evaluation (34 CFR 99.31(a)(3) and 34 CFR 99.35) | EAIs may share student PII with an authorized representative of the Comptroller General, the Attorney General, the Secretary of Education, or state and local educational authorities, so long as there is a written agreement that includes the specific safeguards listed in 34 CFR 99.35(a)(3). | An LEA could designate a university as an authorized representative for the purposes of enabling an evaluation and share PII from education records on its former students with the university those students attended. The university can then share those former students’ transcripts back to the LEA, thus permitting the LEA to evaluate how effectively the LEA prepared its students for success in postsecondary education. |
| Financial Aid (34 CFR 99.31(a)(4)) | EAIs may disclose student PII in connection with financial aid the student has applied for or received if the PII will help determine the eligibility, amount, or conditions of the aid, or if it will be used to enforce the terms and conditions of the financial aid. | A postsecondary institution could disclose a student’s grades to the financial aid office each semester if there is a requirement that the student maintains above a certain GPA to continue receiving financial aid. |
| Juvenile Justice (34 CFR 99.31(a)(5) and 34 CFR 99.38) | EAIs may disclose student PII to state and local authorities of the juvenile justice system if a state statute allows the disclosure and the disclosure concerns the juvenile justice system's ability to effectively serve the student prior to adjudication. | When state statute permits such disclosure, a school could disclose a student’s IEP to officials at a detention facility where the student is being held pending trial. |
| Studies (34 CFR 99.31(a)(6)) | EAIs may disclose student PII to develop, validate, or administer predictive tests, to administer student aid programs, or to improve instruction. PII can only be shared when there is a written agreement in place that includes the specific safeguards listed in 34 CFR 99.31(a)(6)(iii)(C). | An SEA may disclose student grades to an organization conducting a study that compares program outcomes across school districts to find which programs provide the best instruction and then duplicate the successful programs in other districts. |
| Accrediting Organizations (34 CFR 99.31(a)(7)) | EAIs may disclose student PII to an accrediting organization for the purpose of carrying out their accrediting functions. | A college accreditor could access student PII as part of assessing a college’s student support services. |
| Parents of a Dependent Student (34 CFR 99.31(a)(8)) | EAIs may share student PII with parents that claim an “eligible student” (a student who is 18+ or attending a postsecondary institution) as a dependent on their taxes. | The parent of a college student could request access to their child’s grades and, if the EAI verifies that their child is claimed as a dependent on their taxes, the EAI may provide those grades to the parent. |
| Judicial Order or Subpoena (34 CFR 99.31(a)(9)) | EAIs may share student PII to comply with a judicial order or a legally issued subpoena, but must make a reasonable effort to notify the parent or eligible student of the subpoena within a reasonable amount of time, unless the court or issuing agency has ordered that it not be disclosed. | A school can disclose attendance information in response to a court order requiring the school to share which students were not in attendance on the date and time that a local store was robbed. |
| Legal Action (34 CFR 99.31(a)(9)(iii)) | EAIs may share student PII if they initiate legal action against a parent or student or if a parent or student initiates legal action against the EAI. The disclosure must be relevant for the EAI to proceed with the legal action or defend itself. | A postsecondary institution being sued by a student for inadequate support after a violent crime on campus could disclose the student’s counseling records from the institution’s mental health center to defend against the lawsuit. |
| Health or Safety Emergency (34 CFR 99.31(a)(10) and 34 CFR 99.36) | EAIs may disclose student PII in an emergency to help protect the health or safety of the student or other individuals, taking into account the totality of the threat based on information available to the EAI at the time. Student PII should only be shared if there is an articulable and significant threat to the student or others, and should only be shared with individuals whose knowledge of the situation is necessary to protect the health or safety of the student or others. | A school official could call 911 when a student has a medical emergency and disclose any health conditions in the student’s record, such as allergies, that might help first responders assess and treat the student’s medical emergency. |
| Directory Information (34 CFR 99.31(a)(11) and 34 CFR 99.37) | EAIs may share information generally considered not to be harmful or an invasion of privacy if released to the public so long as that information has been designated as directory information in an annual notice to parents or eligible students. Parents and eligible students must be given the right to opt out of a student’s PII being disclosed under this exception. | Schools are permitted to list the names of students who are on the honor roll or participating in the school play so long as listing student names for the honor roll and extracurriculars is included in the school’s annual FERPA notice and the school checks to make sure that students have not been opted out of directory information disclosure. |
| Disclosure to Parent (34 CFR 99.31(a)(12) and 34 CFR § 99.4) | EAIs must disclose data about a non-eligible student to both parents and allow them to exercise FERPA rights unless there is a court order, state statute, or legally binding document related to divorce, separation, or custody that specifically revokes those rights. | A non-custodial parent must be given access to their child’s education record upon request unless there is a legal restriction against such disclosure. |
| Non-Eligible Students (34 CFR 99.31(a)(12)) | EAIs may disclose data about a student to that student and provide them with FERPA rights even when they are not yet “eligible students.” | Schools can share the information that online monitoring software has collected about a non-eligible student upon request by that student. |
| Victim of Alleged Violent Crime or Non-Forcible Sex Offense at Postsecondary Institution (34 CFR 99.31(a)(13) and 34 CFR 99.39) | A postsecondary institution may disclose the final results of a disciplinary proceeding for a violent crime or non-forcible sex offense to the victim of the alleged crime or offense, regardless of whether the institution concluded a violation was committed. No additional information can be disclosed under this exception. | A college can tell a rape victim whether the alleged perpetrator was found “guilty” or not in a disciplinary proceeding conducted by the college. |
| Violent Crime or Non-Forcible Sex Offense at Postsecondary Institution: Rule or Policy Violations (34 CFR 99.31(a)(14), 34 CFR 99.39, and Appendix A to Part 99, Title 34) | If a postsecondary institution’s post-1998 disciplinary proceeding has determined that a student who has allegedly perpetrated a violent crime or non-forcible sex offense has committed a violation of the institution’s rules or policies in regards to that allegation, the institution may disclose the name of the student who committed the violation, the violation committed, and any sanctions against the student. No additional information can be disclosed under this exception. | A university has a policy prohibiting violence against students. If the university’s disciplinary proceeding finds that John Doe hit another student, the institution could disclose John Doe’s name, that they hit a student, and what John Doe’s punishment will be. |
| Alcohol or a Controlled Substance (34 CFR 99.31(a)(15)) | If a postsecondary institution determines that a student under 21 has violated a law or policy governing the use or possession of alcohol or a controlled substance, the university may disclose the violation to the student’s parents unless a state law precludes the disclosure. | An Academic Dean could tell the parents of a 20-year-old student that their child was illegally drinking alcohol. |
| Sex Offenders (34 CFR 99.31(a)(16)) | EAIs may disclose student PII if the disclosure relates to sex offenders or other individuals required to register under Section 170101 of the Violent Crimes Control and Law Enforcement Act of 1994. | A school could provide a list of students who are registered sex offenders. |
| Food and Nutrition Service Monitoring, Evaluations, and Performance Measurements (20 USC 1232g(b)(1)(K)) | EAIs may share student PII with the Secretary of Agriculture or their authorized representative working for or on behalf of the Food and Nutrition Services for the purposes of conducting program monitoring, evaluations, and performance measurements of EAIs or other agencies or institutions receiving funding or providing benefits under the National School Lunch Act or the Child Nutrition Act of 1966. | A school can provide a list of students who receive a free lunch paid for by a National School Lunch Act program as part of an audit into whether the school is only using the funding to provide services to eligible students. |
| Caseworkers (20 USC 1232g(b)(1)(L) and guidance) | EAIs may share student PII with an agency caseworker or other representative of a State or local child welfare agency, tribal organization caseworkers, or other representatives of state or local child welfare agencies or other tribal organizations, so long as such agency or organization is legally responsible for the “care and protection” of the student (as defined by state law) and the individual has the right to access the student’s case plan. | A school can tell a student’s child welfare caseworker that the student will need additional help in order to pass algebra. |
| Military Recruiters (Guidance) | K-12 EAIs must provide student names, addresses, and telephone numbers to military recruiters unless parents have opted out of disclosure of directory information. If names, addresses, and telephone numbers are not already designated as directory information, the EAI must send a separate notice to parents about this information and give them an opportunity to opt-out of sharing. | A school must provide all students’ names, addresses, and telephone numbers to a military recruiter, except for the information of students whose parents have opted out of that disclosure. |
Pingback: “Fixing FERPA” Series Launched by the Public Interest Privacy Center – Public Interest Privacy Center